The sanction comes after Twitter was found to have violated the EU’s General Data Protection Regulation (GDPR), which went into effect in 2018, because it failed to notify the regulator within 72 hours of discovering the breach.
The inquiry was headed by Ireland’s DPC because Twitter’s international headquarters are in Dublin.
Ireland’s DPC posted its draft decision in May as part of the GDPR’s comments process.
But because the GDPR is in force across the entire EU, several other regulators raised objections to several points in its decision, which eventually led to a dispute-resolution process.
One key objection raised was against the amount the DPC wanted to fine Twitter, the outlet notes, as the fine of €450,000 ($546,000) is well short of the 2 percent of Twitter’s global annual revenue that can be levied under GDPR rules.
The Irish regulator originally wanted to fine Twitter even less than this as it believed Twitter’s failing was unintentional, according to the Wall Street Journal, but it decided to increase the amount after consulting with its European counterparts.
Under the GDPR, regulators can fine companies up to 2 percent of their global annual revenue for failing to notify them of a data breach within 72 hours. Based on Twitter’s 2019 revenue, this could reach $69 million.
The law, however, directs regulators to take into account the gravity and duration of the violation, the type of personal information at issue and other factors.
The fact that this dispute resolution took so long and resulted in a relatively low penalty has led to criticism of the GDPR’s effectiveness and may lead some national regulators to sidestep it in future, particularly as so many US tech companies are based in Ireland, which means that the DPC would continue to lead on most future probes.
There are already signs that this is happening. Last week, France’s privacy regulator, the CNIL, fined Google and Amazon a combined $163 million for violations of a separate rule called the ePrivacy directive.
Social media users were quick to point out the small size of the fine relative to Twitter's revenue.
*LOL* Twitter got away with € 450k as the first #GDPR fine by the DPC -- 0,016% of their revenue in 2019... 🤨— Max Schrems 🇪🇺🇦🇹 (@maxschrems) December 15, 2020
In other words: They need 1.5 hours to make that amount in revenue and pay the fine... https://t.co/ZP56uWMpri
Others noted the number of EU member state regulators who opposed handing Twitter such a small fine.